Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_signature_algorithms.h"
17 : :
18 : : #include "crypto/s2n_fips.h"
19 : : #include "crypto/s2n_rsa_pss.h"
20 : : #include "error/s2n_errno.h"
21 : : #include "tls/s2n_auth_selection.h"
22 : : #include "tls/s2n_cipher_suites.h"
23 : : #include "tls/s2n_connection.h"
24 : : #include "tls/s2n_kex.h"
25 : : #include "tls/s2n_security_policies.h"
26 : : #include "tls/s2n_signature_scheme.h"
27 : : #include "utils/s2n_safety.h"
28 : :
29 : : static S2N_RESULT s2n_signature_scheme_validate_for_send(struct s2n_connection *conn,
30 : : const struct s2n_signature_scheme *scheme)
31 : 141694 : {
32 [ - + ][ # # ]: 141694 : RESULT_ENSURE_REF(conn);
33 : :
34 : : /* If no protocol has been negotiated yet, the actual_protocol_version will
35 : : * be equivalent to the client_protocol_version and represent the highest
36 : : * version supported.
37 : : */
38 [ + - ][ + + ]: 141694 : RESULT_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version);
39 : :
40 : : /* QUIC only supports TLS1.3 */
41 [ + + ][ + + ]: 137519 : if (s2n_connection_is_quic_enabled(conn) && scheme->maximum_protocol_version) {
42 [ + - ][ + - ]: 96 : RESULT_ENSURE_GTE(scheme->maximum_protocol_version, S2N_TLS13);
43 : 96 : }
44 : :
45 [ - + ]: 137423 : if (!s2n_is_rsa_pss_signing_supported()) {
46 [ # # ][ # # ]: 0 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_RSAE);
47 : 0 : }
48 : :
49 [ - + ]: 137423 : if (!s2n_is_rsa_pss_certs_supported()) {
50 [ # # ][ # # ]: 0 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
51 : 0 : }
52 : :
53 : 137423 : return S2N_RESULT_OK;
54 : 137423 : }
55 : :
56 : : static bool s2n_signature_scheme_is_valid_for_send(struct s2n_connection *conn,
57 : : const struct s2n_signature_scheme *scheme)
58 : 107938 : {
59 : 107938 : return s2n_result_is_ok(s2n_signature_scheme_validate_for_send(conn, scheme));
60 : 107938 : }
61 : :
62 : : static S2N_RESULT s2n_signature_scheme_validate_for_recv(struct s2n_connection *conn,
63 : : const struct s2n_signature_scheme *scheme)
64 : 33756 : {
65 [ - + ][ # # ]: 33756 : RESULT_ENSURE_REF(scheme);
66 [ # # ][ - + ]: 33756 : RESULT_ENSURE_REF(conn);
67 : :
68 [ + + ]: 33756 : RESULT_GUARD(s2n_signature_scheme_validate_for_send(conn, scheme));
69 : :
70 [ + + ]: 33708 : if (scheme->maximum_protocol_version != S2N_UNKNOWN_PROTOCOL_VERSION) {
71 [ + - ][ + + ]: 3516 : RESULT_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version);
72 : 3516 : }
73 : :
74 [ - + ][ # # ]: 33027 : RESULT_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION);
75 [ + + ]: 33027 : if (conn->actual_protocol_version >= S2N_TLS13) {
76 [ + - ][ + + ]: 26085 : RESULT_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1);
77 [ + - ][ + + ]: 26084 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA);
78 : 26084 : }
79 : :
80 : 33025 : return S2N_RESULT_OK;
81 : 33027 : }
82 : :
83 : : static bool s2n_signature_scheme_is_valid_for_recv(struct s2n_connection *conn,
84 : : const struct s2n_signature_scheme *scheme)
85 : 33756 : {
86 : 33756 : return s2n_result_is_ok(s2n_signature_scheme_validate_for_recv(conn, scheme));
87 : 33756 : }
88 : :
89 : : static S2N_RESULT s2n_signature_algorithms_get_legacy_default(struct s2n_connection *conn,
90 : : s2n_mode signer, const struct s2n_signature_scheme **default_sig_scheme)
91 : 499 : {
92 [ # # ][ - + ]: 499 : RESULT_ENSURE_REF(conn);
93 [ - + ][ # # ]: 499 : RESULT_ENSURE_REF(default_sig_scheme);
94 : :
95 : 499 : s2n_authentication_method auth_method = 0;
96 [ + + ]: 499 : if (signer == S2N_CLIENT) {
97 [ - + ]: 4 : RESULT_GUARD_POSIX(s2n_get_auth_method_for_cert_type(
98 : 4 : conn->handshake_params.client_cert_pkey_type, &auth_method));
99 : 495 : } else {
100 [ # # ][ - + ]: 495 : RESULT_ENSURE_REF(conn->secure);
101 [ - + ][ # # ]: 495 : RESULT_ENSURE_REF(conn->secure->cipher_suite);
102 : 495 : auth_method = conn->secure->cipher_suite->auth_method;
103 : 495 : }
104 : :
105 [ + + ]: 499 : if (auth_method == S2N_AUTHENTICATION_ECDSA) {
106 : 142 : *default_sig_scheme = &s2n_ecdsa_sha1;
107 : 357 : } else {
108 : 357 : *default_sig_scheme = &s2n_rsa_pkcs1_md5_sha1;
109 : 357 : }
110 : 499 : return S2N_RESULT_OK;
111 : 499 : }
112 : :
113 : : S2N_RESULT s2n_signature_algorithm_recv(struct s2n_connection *conn, struct s2n_stuffer *in)
114 : 2983 : {
115 [ # # ][ - + ]: 2983 : RESULT_ENSURE_REF(conn);
116 : :
117 : 2983 : const struct s2n_signature_scheme **chosen_sig_scheme = NULL;
118 : 2983 : s2n_mode peer_mode = S2N_PEER_MODE(conn->mode);
119 [ + + ]: 2983 : if (peer_mode == S2N_CLIENT) {
120 : 104 : chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
121 : 2879 : } else {
122 : 2879 : chosen_sig_scheme = &conn->handshake_params.server_cert_sig_scheme;
123 : 2879 : }
124 : :
125 : : /* Before TLS1.2, signature algorithms were fixed instead of negotiated */
126 [ + + ]: 2983 : if (conn->actual_protocol_version < S2N_TLS12) {
127 : 175 : return s2n_signature_algorithms_get_legacy_default(conn, peer_mode, chosen_sig_scheme);
128 : 175 : }
129 : :
130 : 2808 : uint16_t iana_value = 0;
131 [ + - ][ + + ]: 2808 : RESULT_ENSURE(s2n_stuffer_read_uint16(in, &iana_value) == S2N_SUCCESS,
132 : 2807 : S2N_ERR_BAD_MESSAGE);
133 : :
134 : 2807 : const struct s2n_signature_preferences *signature_preferences = NULL;
135 [ - + ]: 2807 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
136 [ - + ][ # # ]: 2807 : RESULT_ENSURE_REF(signature_preferences);
137 : :
138 [ + + ]: 17832 : for (size_t i = 0; i < signature_preferences->count; i++) {
139 : 17823 : const struct s2n_signature_scheme *candidate = signature_preferences->signature_schemes[i];
140 : :
141 [ + + ]: 17823 : if (candidate->iana_value != iana_value) {
142 : 15024 : continue;
143 : 15024 : }
144 : :
145 [ + + ]: 2799 : if (!s2n_signature_scheme_is_valid_for_recv(conn, candidate)) {
146 : 1 : continue;
147 : 1 : }
148 : :
149 : 2798 : *chosen_sig_scheme = candidate;
150 : 2798 : return S2N_RESULT_OK;
151 : 2799 : }
152 : :
153 [ + - ]: 9 : RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_SCHEME);
154 : 9 : }
155 : :
156 : : static S2N_RESULT s2n_signature_algorithms_validate_supported_by_peer(
157 : : struct s2n_connection *conn, uint16_t iana)
158 : 6249 : {
159 [ # # ][ - + ]: 6249 : RESULT_ENSURE_REF(conn);
160 : :
161 : 6249 : const struct s2n_sig_scheme_list *peer_list = &conn->handshake_params.peer_sig_scheme_list;
162 [ + + ]: 34287 : for (size_t i = 0; i < peer_list->len; i++) {
163 [ + + ]: 34099 : if (peer_list->iana_list[i] == iana) {
164 : 6061 : return S2N_RESULT_OK;
165 : 6061 : }
166 : 34099 : }
167 : :
168 [ + - ]: 188 : RESULT_BAIL(S2N_ERR_NO_VALID_SIGNATURE_SCHEME);
169 : 188 : }
170 : :
171 : : static bool s2n_signature_algorithm_is_supported_by_peer(
172 : : struct s2n_connection *conn, uint16_t iana)
173 : 6249 : {
174 : 6249 : return s2n_result_is_ok(s2n_signature_algorithms_validate_supported_by_peer(conn, iana));
175 : 6249 : }
176 : :
177 : : S2N_RESULT s2n_signature_algorithm_select(struct s2n_connection *conn)
178 : 6432 : {
179 [ - + ][ # # ]: 6432 : RESULT_ENSURE_REF(conn);
180 [ - + ][ # # ]: 6432 : RESULT_ENSURE_REF(conn->secure);
181 : 6432 : struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
182 [ # # ][ - + ]: 6432 : RESULT_ENSURE_REF(cipher_suite);
183 : :
184 : 6432 : const struct s2n_signature_scheme **chosen_sig_scheme = NULL;
185 [ + + ]: 6432 : if (conn->mode == S2N_CLIENT) {
186 : 119 : chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
187 : 6313 : } else {
188 : 6313 : chosen_sig_scheme = &conn->handshake_params.server_cert_sig_scheme;
189 : 6313 : }
190 : :
191 : : /* Before TLS1.2, signature algorithms were fixed instead of negotiated */
192 [ + + ]: 6432 : if (conn->actual_protocol_version < S2N_TLS12) {
193 [ - + ]: 324 : RESULT_GUARD(s2n_signature_algorithms_get_legacy_default(conn, conn->mode, chosen_sig_scheme));
194 : 324 : return S2N_RESULT_OK;
195 : 324 : }
196 : :
197 : 6108 : const struct s2n_signature_preferences *signature_preferences = NULL;
198 [ - + ]: 6108 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
199 [ - + ][ # # ]: 6108 : RESULT_ENSURE_REF(signature_preferences);
200 : :
201 : 6108 : const struct s2n_signature_scheme *fallback_candidate = NULL;
202 : :
203 : : /* We use local preference order, not peer preference order, so we iterate
204 : : * over the local preferences instead of over the options offered by the peer.
205 : : */
206 [ + + ]: 31004 : for (size_t i = 0; i < signature_preferences->count; i++) {
207 : 30957 : const struct s2n_signature_scheme *candidate = signature_preferences->signature_schemes[i];
208 : :
209 : : /* Validates that a signature is valid to choose,
210 : : * including that it's allowed by the current protocol version.
211 : : */
212 [ + + ]: 30957 : if (!s2n_signature_scheme_is_valid_for_recv(conn, candidate)) {
213 : 730 : continue;
214 : 730 : }
215 : :
216 [ + + ]: 30227 : if (s2n_is_sig_scheme_valid_for_auth(conn, candidate) != S2N_SUCCESS) {
217 : 23978 : continue;
218 : 23978 : }
219 : :
220 : : /* s2n-tls first attempts to choose a signature algorithm offered by the peer.
221 : : * However, if that is not possible, we will attempt to continue the handshake
222 : : * anyway with an algorithm not offered by the peer. This fallback behavior
223 : : * is allowed by the RFC for TLS1.3 servers and partially allowed for TLS1.2
224 : : * servers that don't receive the signature_algorithms extension, but is
225 : : * otherwise an intentional deviation from the RFC.
226 : : *
227 : : * TLS1.3 servers:
228 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3
229 : : *# If the CertificateVerify message is sent by a server, the signature
230 : : *# algorithm MUST be one offered in the client's "signature_algorithms"
231 : : *# extension unless no valid certificate chain can be produced without
232 : : *# unsupported algorithms
233 : : *
234 : : * TLS1.3 clients:
235 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3
236 : : *= type=exception
237 : : *= reason=Compatibility with hypothetical faulty peers
238 : : *# If sent by a client, the signature algorithm used in the signature
239 : : *# MUST be one of those present in the supported_signature_algorithms
240 : : *# field of the "signature_algorithms" extension in the
241 : : *# CertificateRequest message.
242 : : *
243 : : * TLS1.2 servers:
244 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.3
245 : : *= type=exception
246 : : *= reason=Compatibility with known faulty peers
247 : : *# If the client has offered the "signature_algorithms" extension, the
248 : : *# signature algorithm and hash algorithm MUST be a pair listed in that
249 : : *# extension.
250 : : *
251 : : * TLS1.2 clients:
252 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
253 : : *= type=exception
254 : : *= reason=Compatibility with hypothetical faulty peers
255 : : *# The hash and signature algorithms used in the signature MUST be
256 : : *# one of those present in the supported_signature_algorithms field
257 : : *# of the CertificateRequest message.
258 : : */
259 : 6249 : bool is_peer_supported = s2n_signature_algorithm_is_supported_by_peer(
260 : 6249 : conn, candidate->iana_value);
261 [ + + ]: 6249 : if (is_peer_supported) {
262 : 6061 : *chosen_sig_scheme = candidate;
263 : 6061 : return S2N_RESULT_OK;
264 : 6061 : }
265 : :
266 : : /**
267 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.4.1
268 : : *# If the client does not send the signature_algorithms extension, the
269 : : *# server MUST do the following:
270 : : *#
271 : : *# - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
272 : : *# DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
273 : : *# sent the value {sha1,rsa}.
274 : : *#
275 : : *# - If the negotiated key exchange algorithm is one of (DHE_DSS,
276 : : *# DH_DSS), behave as if the client had sent the value {sha1,dsa}.
277 : : *#
278 : : *# - If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
279 : : *# ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.
280 : : *
281 : : * The default scheme for DSA is not used because s2n-tls does not support DSA certificates.
282 : : *
283 : : * These defaults are only relevant for TLS1.2, since TLS1.3 does not allow SHA1.
284 : : */
285 [ + + ][ + + ]: 188 : bool is_default = (candidate == &s2n_ecdsa_sha1 || candidate == &s2n_rsa_pkcs1_sha1);
286 : :
287 : : /* If we ultimately cannot choose any algorithm offered by the peer,
288 : : * we will attempt negotiation with an algorithm not offered by the peer.
289 : : *
290 : : * The TLS1.2 RFC specifies default algorithms for use when no signature_algorithms
291 : : * extension is sent-- see the definition of is_default above.
292 : : *
293 : : * s2n-tls has encountered clients in the wild that support the TLS1.2
294 : : * default algorithms but do not include them in their signature_algorithms
295 : : * extension, likely due to a misreading of the RFC. So s2n-tls attempts
296 : : * to use the TLS1.2 defaults even when the client sends the signature_algorithms
297 : : * extension, and always treats them as the most preferred fallback option.
298 : : *
299 : : * If the TLS1.2 defaults are not possible-- for example, because TLS1.3
300 : : * or the security policy forbids SHA1-- we fallback to our own most
301 : : * preferred algorithm. In most cases a correctly implemented peer will reject
302 : : * this fallback, but the only alternative is to kill the connection here.
303 : : */
304 [ + + ]: 188 : if (is_default) {
305 : 22 : fallback_candidate = candidate;
306 [ + + ]: 166 : } else if (fallback_candidate == NULL) {
307 : 51 : fallback_candidate = candidate;
308 : 51 : }
309 : 188 : }
310 : :
311 [ + + ]: 47 : if (fallback_candidate) {
312 : 34 : *chosen_sig_scheme = fallback_candidate;
313 : 34 : } else {
314 [ + - ]: 13 : RESULT_BAIL(S2N_ERR_NO_VALID_SIGNATURE_SCHEME);
315 : 13 : }
316 : 34 : return S2N_RESULT_OK;
317 : 47 : }
318 : :
319 : : S2N_RESULT s2n_signature_algorithms_supported_list_send(struct s2n_connection *conn, struct s2n_stuffer *out)
320 : 7401 : {
321 : 7401 : const struct s2n_signature_preferences *signature_preferences = NULL;
322 [ - + ]: 7401 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
323 [ - + ][ # # ]: 7401 : RESULT_ENSURE_REF(signature_preferences);
324 : :
325 : 7401 : struct s2n_stuffer_reservation size = { 0 };
326 [ - + ]: 7401 : RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(out, &size));
327 : :
328 [ + + ]: 115339 : for (size_t i = 0; i < signature_preferences->count; i++) {
329 : 107938 : const struct s2n_signature_scheme *const scheme = signature_preferences->signature_schemes[i];
330 [ - + ][ # # ]: 107938 : RESULT_ENSURE_REF(scheme);
331 [ + + ]: 107938 : if (s2n_signature_scheme_is_valid_for_send(conn, scheme)) {
332 [ - + ]: 103715 : RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(out, scheme->iana_value));
333 : 103715 : }
334 : 107938 : }
335 [ - + ]: 7401 : RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&size));
336 : :
337 : 7401 : return S2N_RESULT_OK;
338 : 7401 : }
339 : :
340 : : int s2n_recv_supported_sig_scheme_list(struct s2n_stuffer *in, struct s2n_sig_scheme_list *sig_hash_algs)
341 : 7388 : {
342 : 7388 : uint16_t length_of_all_pairs = 0;
343 [ - + ]: 7388 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &length_of_all_pairs));
344 [ - + ]: 7388 : if (length_of_all_pairs > s2n_stuffer_data_available(in)) {
345 : : /* Malformed length, ignore the extension */
346 : 0 : return 0;
347 : 0 : }
348 : :
349 [ - + ]: 7388 : if (length_of_all_pairs % 2) {
350 : : /* Pairs occur in two byte lengths. Malformed length, ignore the extension and skip ahead */
351 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_skip_read(in, length_of_all_pairs));
352 : 0 : return 0;
353 : 0 : }
354 : :
355 : 7388 : int pairs_available = length_of_all_pairs / 2;
356 : :
357 [ + + ]: 7388 : if (pairs_available > TLS_SIGNATURE_SCHEME_LIST_MAX_LEN) {
358 [ + - ]: 1 : POSIX_BAIL(S2N_ERR_TOO_MANY_SIGNATURE_SCHEMES);
359 : 1 : }
360 : :
361 : 7387 : sig_hash_algs->len = 0;
362 : :
363 [ + + ]: 111357 : for (size_t i = 0; i < (size_t) pairs_available; i++) {
364 : 103970 : uint16_t sig_scheme = 0;
365 [ - + ]: 103970 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &sig_scheme));
366 : :
367 : 103970 : sig_hash_algs->iana_list[sig_hash_algs->len] = sig_scheme;
368 : 103970 : sig_hash_algs->len += 1;
369 : 103970 : }
370 : :
371 : 7387 : return 0;
372 : 7387 : }
373 : :
374 : : S2N_RESULT s2n_signature_algorithm_get_pkey_type(s2n_signature_algorithm sig_alg, s2n_pkey_type *pkey_type)
375 : 46978 : {
376 [ # # ][ - + ]: 46978 : RESULT_ENSURE_REF(pkey_type);
377 : 46978 : *pkey_type = S2N_PKEY_TYPE_UNKNOWN;
378 : :
379 : 46978 : switch (sig_alg) {
380 [ + + ]: 7000 : case S2N_SIGNATURE_RSA:
381 [ + + ]: 20278 : case S2N_SIGNATURE_RSA_PSS_RSAE:
382 : 20278 : *pkey_type = S2N_PKEY_TYPE_RSA;
383 : 20278 : break;
384 [ + + ]: 11382 : case S2N_SIGNATURE_RSA_PSS_PSS:
385 : 11382 : *pkey_type = S2N_PKEY_TYPE_RSA_PSS;
386 : 11382 : break;
387 [ + + ]: 15300 : case S2N_SIGNATURE_ECDSA:
388 : 15300 : *pkey_type = S2N_PKEY_TYPE_ECDSA;
389 : 15300 : break;
390 [ + + ]: 18 : case S2N_SIGNATURE_MLDSA:
391 : 18 : *pkey_type = S2N_PKEY_TYPE_MLDSA;
392 : 18 : break;
393 [ - + ]: 0 : default:
394 [ # # ]: 0 : RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
395 : 46978 : }
396 : :
397 : 46978 : return S2N_RESULT_OK;
398 : 46978 : }
|
